Skip to main content

Impact Levels Gone Wrong: When Good Policy Turns Bad

· 2 min read
Jeff Day
Writer @ RifledPipelines
Matt Flautt
Writer @ RifledPipelines

Banner

Federal cyber policy is meant to improve software security posture. So why doesn’t it?

There are policies that are just bad, like “Don’t deploy on Fridays.” For those unaware, this somewhat common idea is bad because it indicates a lack of trust in an organization’s deployment mechanisms, developers, or both. This policy is not a solution to the underlying problem!

Of course there are policies that are good, or at least neutral on paper. However, bad interpretation by practitioners can still lead to poor outcomes. The Department of Defense’s practices regarding commercial cloud usage (Impact Levels) could be one such example.

Impact Levels?

Impact Levels are just a way to classify data according to its ability to harm national security.

In the case of the DoD’s Impact Levels, more stringent security controls govern systems that process data at higher impact levels while less stringent standards are applied to lower impact systems. This makes sense!

But inevitably, higher impact level information finds its way onto lower impact level systems. In practice, this happens frequently enough that leaders often decide it is too risky to approve low impact level systems, meaning all systems must meet higher security requirements. Even relatively unimportant data gets protected by a metaphorical Fort Knox, instead of just the gold.

Good policies go wrong all the time. For example, training requirements can be good, but not when the training isn’t available to everyone who needs it. Centralized services can reduce costs, but not when they can’t keep up with demand. Mandated architectures can improve quality, but not when they don’t fit a given solution.

It doesn’t end there; bad policies have reverberating consequences. People need to accomplish their missions. When systems don’t meet their needs - they find a way.

Policy that can be easily misinterpreted is bad; policy that leads to poor outcomes is bad; and bad policy is worse than no policy. Removing bad policy creates better security. Hopefully we can all agree on that 🙂.